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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED {35 U.S.C. § 1 33). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )S Responsive to communication{s) filed on 26 June 2000 . 
2a)n This action is FINAL. 2b)K This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 
Disposition of Claims 

4) ^ Claim(s) ^-35 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) S Claim(s) 23 and 27-30 is/are allowed. 

6) S Claim(s) 1-22,24-26 and 31-35 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification Is objected to by the Examiner. 

10)S The drawing(s) filed on 26 June 2000 is/are: a)^ accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
11 )□ The proposed drawing correction filed on is: a)\3 approved b)[Z\ disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) n The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§ 1 1 9 and 1 20 

13) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a)nAII b)n Some*c)n None of: 

1 .□ Certified copies of the priority documents have been received. 

2.n Certified copies of the priority documents have been received in Application No. . 



3.n Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) n Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 11 9(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) 0 Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121. 
Attachment(s) 



1) 1^ Notice of References Cited (PTO-892) 

2) n Notice of Draftsperson's Patent Drawing Review (PTO-948) 

3) ^ Infonnation Disclosure Statement(s) (PTO-1449) Paper No(s) 2^ . 



4) □ Interview Summary (PTO-413) Paper No(s). 

5) O Notice of Infomnal Patent Application (PTO-152) 

6) 0 Other: 



U.S. Patent and Trademark Office 
PTO-326 (Rev. 04-01) 
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DETAILED ACTION 

This is a first office action on the merits of this case. Claims 1-35 are presented 
for examination. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth In section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1 . Claims 1-22, 24-26, and 31-35 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Parker (Single Sign-On Systems - the Technologies and the 

Products," 1995), in view of M2 Presswire ("Encommerce," May 3, 2000, hereinafter 

"M2"). 

In considering claims 1 , 24, and 26, Parker discloses a method, network device, 
and computer usable medium for conveying access control information (a.c.i.) from one 
network device to another network device through an end user device, comprising: 
The one network device ("remote security server") in response to a first message 
received from the end user device ("user") containing access control information 
("authentication ticket"), sending a response message ("access ticket") to the end user 
device containing the a.c.i. (p. 152, 1| 3, lines 1-5), the response message being 
adapted to cause the end user device to send a second message to the another 
network device ("target") containing at least part of the a.c.i. (p. 152, jf 3, lines 5-6); 
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Wherein at least part of the a.c.i. is used to control access to a protected resource on at 
least one of the first and second network devices (p. 152, H 3, wherein the tickets are 
used to access protected resources). 

However, Parker does not disclose that the two network devices are on different 
domains. Instead, Parker simply states that the two servers are "part of the single sign- 
on product." Nonetheless, including network devices from different domains on a single 
sign-on system is well known, as evidenced by M2. In a similar art, M2 discloses a 
multi-domain single sign-on system that allows Internet domains owned by different 
companies or business partners to both participate in the single sign-on system (p, 1 , 
last paragraph). Thus, given the teaching of M2, it would have been obvious to a 
person having ordinary skill in the art to use the single sign-on system taught by Parker 
for multiple domains, as taught by M2, so that different e-commerce companies can 
coordinate their user access and information to gain market share. 

In considering claim 2, Parker further discloses that the response message 
contains the a.c.i. (the "access ticket") and a network device identifier for the another 
network device (i.e. receipt of the access ticket instructs the user device to access the 
another network device, p. 152, 3). Parker further discloses that the second message 
contains at least part of the a.c.i. (p. 152, H 3, i.e. the "access ticket"). 

However, neither Parker nor M2 discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
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is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed in 
claim 2, rather than in the header portion is a matter of design choice, and would have 
been obvious to a person having ordinary skill in the art to simplify header processing of 
the packet. 

In considering claim 3, Parker further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message (p. 152, T| 3, wherein the access ticket is extracted from the response and 
placed in the second message for delivery to the target). 

However, neither Parker nor M2 discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the header portion, as claimed in 
claim 3, rather than in the content portion is a matter of design choice, and would have 
been obvious to a person having ordinary skill in the art to simplify content processing of 
the packet. 

In considering claim 4, Parker further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
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message (p. 152, ^ 3, wherein the access ticket is extracted from the response and 
placed in the second message for delivery to the target). 

However, neither Parker nor M2 discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed in 
claim 4, rather than in the header portion is a matter of design choice, and would have 
been obvious to a person having ordinary skill in the art to simplify header processing of 
the packet. 

In considering claim 5, Parker further discloses that hidden content is used in the 
response message to contain the a.c.i. (the "access ticket" is not actually seen by the 
user). 

In considering claims 6, 12 and 16, although the system taught by Parker and M2 
teaches substantial features of the claimed invention, it fails to disclose presenting an 
option to the end user device for user acceptance or to change and/or delete any of the 
user-specific information before sending the message to the another network. 
Nonetheless, Examiner takes official notice that changing user profile information in a 
network access system is well known in the art. Thus, given this knowledge, it would 
have been obvious to a person having ordinary skill in the art to change the user- 
specific information in the system taught by Parker and M2 before sending the message 
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to the another network, to give the user manual control over the method of presentation 
of the requested data. 



In considering claim 7, M2 further discloses formatting the messages as a 
custom content type (p. 1, H 2, "user and resource profiles"). Thus, given the teaching 
of M2, it would have been obvious to include the custom content type in the content 
portion of the response taught by Parker, so that the user entering the second domain 
could still gain access to a personalized, customized information. 



In considering claim 8, Parker further discloses that at least part of the response 
message is protected by cryptographic means (p. 152, H 5, line 1, "protected 
cryptographically"). 

In considering claim 9, Examiner takes official notice that the use of HTTP on the 
Internet is notoriously well known. Therefore it would have been obvious for the 
messages taught by Parker to be HTTP messages, so that the system taught by Parker 
could be used with the majority of Internet applications and documents. 



In considering claim 10, Parker further discloses that the a.ci. is a ticket. 
Although Parker does not explicitly use the term "cookie" or describe the use of cookies, 
the use of cookies to carry access control information and other user information is well 
known in the art, as described by M2 (p. 2, ^ 6, "every time a user logs in, a unique key 
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is generated and used to encrypt cookies for that session,"). Thus, given the knowledge 
that cookies could carry a.c.i. information, it would have been obvious to a person 
having ordinary skill in the art to use a cookie to carry the a.c.i. information taught by 
Parker so that the information could be stored and reused, thereby decreasing 
authentication and authorization time during session login. 

In considering claims 1 1 and 14, M2 further discloses the use of user-specific 
information in requesting documents from the multi-domain SSO system (p. 1 , H 2, "user 
and resource profiles"). Thus, given the teaching of M2, it would have been obvious to 
pass instructions regarding user-specific information in the response taught by Parker 
and including the user-specific information in the second message, so that the user 
entering the second domain could still gain access to a personalized information. 

In considering claim 13, Parker further discloses an initial network device 
("remote authentication server") accessed by the end user device, the method further 
comprising: 

Prior to sending the response message, 

a. the initial network device receiving an initial access request from 
the end user device to access a protected resource on the initial network device 
(p. 152,112, lines 1-2); 

b. the initial network device performing an authentication process to 
determine if access should be granted ("authentication") and if so, responding 
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with an access response message specifying the a.c.i. ("date token or certificate 
which can subsequently be used to prove the user's identity") in association with 
the domain of the initial network device and causing the end user device to send 
the first message (p. 152, ^ 2, lines 2-7; ^ 3, lines 1-4); and 
On an ongoing basis after performing the authentication process allowing 
subsequent access to the protected resource to requests containing the access control 
information (p. 152, col. 2, lines 4-8). 

Although Parker refers to the initial device ("remote authentication server") and 
the one network device ("remote security server") as different devices (and thus does 
not teach that the one network device is an initial device, as claimed), it would have 
been obvious to a person having ordinary skill in the art to merge these two devices into 
one, as claimed, in order to decrease network traffic and simplify the network 
communications in the system. 

In considering claim 15, M2 further discloses that the user specific information 
comprises at least one of purchase enabling information and personal data ("user and 
resource profiles," p.1 , H 2). 

In considering claim 17, Parker further discloses protecting the a.c.i. information 
via cryptographic means. Therefore, it would have been obvious to a person having 
ordinary skill in the art to additionally use cryptographic means to protect the user- 
specific information to increase security of the system. 
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In considering claim 18, claim 18 includes no further limitations over claims 1, 2, 
and 4, except that claim 18 requires that the a.c.i. is in both the header and the content 
portion of the response message. Nonetheless, Examiner takes official notice that 
including information in a header and a data portion of a packet is well known. Thus, 
storing the a.c.i. in the header portion and the content portion, as claimed in claim 18, is 
a matter of design choice, and would have been obvious to a person having ordinary 
skill in the art to balance the processing on both the header and the content portion of 
the packet. 

In considering claim 19, Parker further discloses that the another network device 
is specified in the input message (p. 152, H 3, lines 1-2, "user selects a target 
application server to access"). 

In considering claim 20, Parker further discloses that the another network device 
is specified by the network device (p. 152, ^ 3, lines 4-6). 

In considering claim 21, claim 21 contains no further limitations over claims 18 
and 13, except that claim 21 requires that the response to the initial access request 
includes the a.c.i. in the header portion of the packet. Nonetheless, Examiner takes 
official notice that including information in either the header or content portion of a data 
packet is well known in the art. Thus, storing the a.c.i. in the header portion, as claimed 
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in claim 21, rather than in the content portion is a matter of design choice, and would 
have been obvious to a person having ordinary skill in the art to simplify content 
processing of the packet. 

In considering claim 22, Parker further discloses the claimed authentication step 
(p. 152,112, "authentication"). 

In considering claim 25, Parker further discloses a network device (server) 
adapted to implement the method of claim 18. 

In considering claims 31-33, claims 31-33, taken as a whole, contain no further 
limitations over claim 21, and are thus rejected for the same reasons as claim 21. 

Claim 34 contains the same limitations as claim 31 , and is thus rejected for the 
same reasons as discussed in claim 21 as well. 

Claim 35 contains no further limitations over claims 1,2, 11, and 12 combined, 
and is thus rejected for the same reasons as stated regarding those claims. 



Allowable Subject Matter 



2. 



Claims 23, and 27-30 are allowed. 
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The following is a statement of reasons for the indication of allowable subject 
matter: In considering claim 23, the prior art of record fails to disclose or render obvious 
all of the limitations of the claim. Claims 27-30 depend from claim 23, and thus are 
allowable as well. 



The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Bradley Edelman whose telephone number is (703) 306- 
3041 . The examiner can normally be reached on Monday to Friday from 8:30 AM to 
5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glen Burgess can be reached on (703) 305-4792. The fax phone numbers 
for the organization where this application or proceeding is assigned are as follows: 

For all After Final papers: (703) 746-7238. 

For all other correspondences: (703) 746-7239. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. ^ 



Conclusion 



BE 

June 18. 2003 




Primary Examiner 



